Linux Kernel NFC Subsystem Use-After-Free Vulnerability in ST-NCI Driver

A use-after-free vulnerability has been identified in the Linux kernel's NFC subsystem, specifically within the ST-NCI driver for I2C and SPI interfaces. This issue arises from a race condition in the 'ndlc_remove' function, which can lead to improper memory management. When the driver is removed, there is a possibility that the 'ndlc' structure is still being accessed by a scheduled work function, creating a conflict that can be exploited.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by loading the ST-NCI driver for I2C or SPI, which invokes the 'ndlc_probe' function. This function binds the 'ndlc' structure to a work queue. If the driver is removed while the work is still pending, the 'ndlc' structure may be accessed after it has been freed, causing a use-after-free condition.